by Avivah Litan | November 8, 2016 | Comments Off on Minformation; the new threat to Insider threat detection
I just returned from a FITSI federal government information security conference where I spoke about insider threats. A forensics expert in the audience asked one of the most provocative questions I’ve heard on this issue – what happens if an insider threat detection system falsely accuses an insider of a crime? This of course is something we should expect given the frequent occurrences of false positives in most detection systems.
And what if this false alert/identification was generated because of intentional manipulation of information considered to be evidence? This forensic expert said he recently worked on a case where an employee was falsely accused of perpetrating insider theft. A key piece of evidence was an email purported to be sent from this employee’s account which proved the crime and the insider’s malicious intent.
It turns out it was a ‘fake’ planted email which the forensic investigator eventually proved was never sent from the employee’s account. But the case still had to be resolved in a costly trial in a court of law.
The Russians are reportedly engaged in an active deterministic misinformation campaign in the United States (See Newsweek article on Russia misinformation campaign ), and we should expect other nation states and other bad actors to follow suit if they haven’t already. These misinformation campaigns will no doubt be used to implicate innocent insiders — in many cases to cover up those insiders who really commit harmful crimes against their employers.
Our detection analytics are only as good as the information that’s ingested. These days, there is so much misinformation out there that we must assume hard facts can be manipulated or hidden. Without them, we can’t get to the truth – whether it’s for a forensic investigation, insider threat detection, or any other situation that needs to be assessed.
Information integrity is essential to insider threat detection. Easier said than done.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.